Misconfigured servers can give you a headache

The local, state and federal governments collect massive amounts of data from its citizens. There are massive data centers whose only function is to hold the data. While these secure the data, there are numerous attacks daily, ranging from the simple scans to the far more advanced. One of these states is Oklahoma, who had a notable issue. The Oklahoma Department of Securities is tasked with protecting investors.

Issue

This year a research team (The UpGuard Data Breach Research Team) detected a server, which was insecure. This occurred on December 7, 2018. The server happened to have millions of files open to the public. The server was registered to the Oklahoma Office of Management and Enterprise Services (OMES). This was however actually owned by the Oklahoma Department of Securities. The server contained 3TB and millions of files fully, openly accessible. This was open possibly since at least November 2018 through the detection date.

Data

The data was located on a rsync service that was not secured. Rsync is generally used to synchronize files across systems. A person’s data can be very sensitive and provide information to unauthorized parties the person does not want provided. The data, in this case, involved a list of persons with a specific ailment, FBI investigation details, and other PII. This also had credentials and social security numbers for over 10K brokers in one of the databases. The credentials could have been used for remote access to the Oklahoma Department of Securities workstations. The earlier records noted were from 1986.

Remediation

As noted, the server with cybersecurity issues was detected on December 7, 2018. The owner was notified on December 8, 2018. Fortunately for the person whose data was on the system, the public access was removed immediately. They are working with a forensic team in conducting an investigation. The government was very responsive and responsible for taking care of this. They did not wait for an extended period of time to act on the issue.

Lessons Learned

This is a rather unusual set of circumstances, nearly a trifecta. The issues compounded on each other. The servers were openly accessible by anyone, the data on the server was not encrypted, and it appears they had not been using TLS keys and certificates. In the very least the data at rest should have been encrypted and TLS enabled. There are basic and uncomplicated measures to ensure there are no issues. It is curious how this was configured incorrectly and passed their internal checks. Allegedly the breach occurred while a firewall was being stalled. While a good standard operating procedure, it should not have taken at least a week to implement. This issue emphasizes the need for timely work and proper configurations for systems.

Resources

Denwalt, D. (2019, January 17). Oklahoma government agency left millions of files unsecured, including sensitive data, cybersecurity team finds. Retrieved from https://www.tulsaworld.com/news/state-and-regional/oklahoma-government-agency-left-millions-of-files-unsecured-including-sensitive/

Dissent. (2019, January 16). Massive Oklahoma government data leak exposes 7 years of fbi investigations. Retrieved from https://www.databreaches.net/massive-oklahoma-government-data-leak-exposes-7-years-of-fbi-investigations/

Mikelionis, L. (2019, January 17). FBI records, emails, social security numbers exposed in massive data leak, security experts say. Retrieved from https://www.foxnews.com/tech/oklahoma-government-data-leak-exposed-fbi-investigations-emails-dating-back-17-years-social-security-numbers

O’Donnell, L. (2019, January 16). Millions of Oklahoma gov files exposed by wide-open server. Retrieved from https://threatpost.com/oklahoma-gov-data-leak/140936

Osborne, C. (2019, January 17). Oklahoma government data leak exposes fbi investigation records, millions of department files. Retrieved from https://www.zdnet.com/article/oklahoma-gov-data-leak-exposes-millions-of-department-files-fbi-investigation

The Associated Press. (2019, January 17). Firm: Oklahoma securities agency’s computer files breached. Retrieved from https://www.thestate.com/news/business/national-business/article224681545.html

Mitsubishi Electric Issues

Due to several significant factors, there are a limited number of automobile manufacturers. The
infrastructure expenses alone are massive and limit the scape of potential persons and organizations
financially able to be involved. 

Mitsubishi is Japan-based, is one of these manufacturers. As with most of the organizations, there are
separate organizations under the general corporate envelope. For Mitsubishi, one of these is
Mitsubishi Electric. 

FR Configurator 2 Inverter Engineering Software

The subject issue is with the FR Configurator 2 inverter software. This affects version 1.165 and 1.10L
and prior to SW1DND-FRCZ-E or -J. This works to permit the user to set-up, program, configure,
and monitor the drives. This software runs on all versions of MS Windows. This is used throughout
the world. 

Vulnerabilities

With this software tool, there are three significant vulnerabilities. The first is a high severity issue
with a CVSSv3 score of 8.8. This is associated with the XML external entity (XXE) processing.
This works by exploiting the DTD parameter. When this vulnerability is exploited, the attacker is
able to read and exfiltrate files located on the targeted system. To execute this, the user has to
only open a malicious files. As a bonus, this may in certain instances allow the attacker to execute
their malicious code on the target system. This has been labeled as ICSA-10-204-01 and
CVE-2019-10976. 

The second vulnerability permits the attacker to force the software from responding. This operates
much like a DoS attack, aka CPU exhaustion. The only way to resolve this is to do a hard restart.
This vulnerability is labeled as ICSA-19-204-01 and CVE-2019-10972. This vulnerability has been
rated as the medium severity issue with a CVSSv3 score of 5.5. This is exploited also by having the
user open a malicious file. The first and second vulnerabilities both require social engineering and a
phishing attempt. The end goal is to have the user open the email and attachment. 

The third and last vulnerability rated as high severity, under the CVSSv3 score of 8.2. With this issue,
the problem is with the binary’s read, write, and execute rights. This allows for privilege escalation.
When exploited, this allows an account with lower-level privileges, such as a guest account, to
increase their rights, and may execute malicious files. 

Remediated 

These vulnerabilities were relatively significant. These could allow successful attackers to effectively
shut down a system, exfiltrate data, and elevate privileges. Mitsubishi Electric advised the users not
to open files from sources unknown or untrusted to the user. When the user receives an email that
is unsolicited, the user should not click on links or attachments. 

Resources 

Cyware. (2019, July 24). Vulnerabilities found in mitsubishi inverter engineering software. Retrieved
from
https://cyware.com/news/vulnerabilities-found-in-mitsubishi-inverter-engineering-software-fe6610d7 

ISS Source. (2019, July 23). Mitsubishi fixes FR configurator 2 holes. Retrieved from
https://isssource.com/mitsubishi-fixes-fr-configurator-2-holes/ 

Kovacs, E. (2019, July 24). Vulnerabilities found in mitsubishi inverter engineering software. Retrieved
from https://www.securityweek.com/vulnerabilities-found-mitsubishi-invertr-engineering-software 

Mitsubishi Electronic. (2019, July 23). XML vulnerability in FR configurator 2. Retrieved from
https://www.mitsubishielectric.com/fa/download/software/drv/inv/vulnerability-protection/2019-001.pdf 

Mitsubishi Electric. (2019, July 24). AUSCERT external security bulletin redistribution. 

US-Cert. (2019, July 23). ICS advisory (ICSA-19-204-01). Retrieved from
https://www.us-cert.gov/ics/advisories/icsa-19-204-01 

Westenberg, T. (2019, July 24). AR 2019011: Mitsubishi electric FR configurator 2 multiple
vulnerabilities. 

Zurkus, K. (2019, May 22). Firmware vulnerability in mitsubishi electric. Retrieved from
https://www.infosecurity-magazine.com/news/firmware-vulnerability-in-1/ 

Just when you think it can't get any worse: VFEmail attack

Organizations have a few options when it comes to their email service. They could have this on-premises, or with a service. One such service is VFEmail. The paramount aspect of this service is the data. Without the emails, active and archived, there are issues. These show up pretty much immediately also. Misplacing this is unthinkable. Losing this permanently would be epic. To state this would be a nightmare would be an understatement. Unfortunately, this occurred in February 2019 with VFEmail when the organization was successfully attacked, deleting the current data and backups. 

VFEmail.net was a US-based secure, private email provider. The organization was started in 2001 by Rick Romero. The organization provided the services free and for a fee. 

Attack

The attack took place on February 11. The staff happened to notice a problem when its servers went offline. There was no anticipated outage planned, which made this especially odd. The attacker was caught during the backup server being formatted. This particular server was located in the Netherlands. The end result of the attack was all the disks were completely wiped. This erased the organization’s entire infrastructure. This included the mail hosts, VM hosts, and a SQL server cluster. The attack appeared to have originated from IP 94.155.49.9 with the username “aktv”. This is registered in Bulgaria. All this damage occurred within a few hours. Fortunately, the servers in the Netherlands with the backups were not affected. 

Data 

The affected data included emails and backup files. In effect, this deleted nearly 20 years of data. The odd aspect of this attack was there was not a reason to delete the data. There was no ransom request ignored or other rationales to do this. The attackers just did it. These are generally the more encountered attacks. 

Post-Attack

The attacker was still unknown. Also, the attack method has not been published. VFEmail rebounding from this will be difficult, not only from the technical aspect but also from customer rapport. 

Resources

Al-Heeti, A. (2019, February 12). Email provider hack destroys nearly two decades’ worth of data. Retrieved from https://www.cnet.com/news/email-provider-hack-destroys-nearly-two-decades-worth-of-data/ 

Boyd, C. (2019, February 14). Hacker destroys VFEmail service, wipes backups. Retrieved from https://blog.malwarebytes.com/cybercrime/2019/02/hacker-destroys-vfemail-service-wipes-backups/ 

Emerson L. Sullivan. (2019, February 18). Hackers destroyed VFEmail service-Deleted its entire data and backups within hours. Retrieved from https://blog.yoocare.com/hackers-destroyed-vfemail-service-deleted-entire-data-backups-within-hours/ 

Goodin, D. 92019, February 12). “Catastrophic” hack on email provider destroys almost two decades of data. Retrieved from https://arstechnica.com/information-technology/2019/02/catastrophic-hack-on-email-provider-destroys-almost-two-decades-of-data/ 

Khandelwal, S. (2019, February 13). Hackers destroyed VFEmail service-deleted its entire data and backups. Retrieved from https://thehackernews.com/2019/02/vfemail-cyber-attack.html 

Krebs, B. (2019, February 19). Email provider VFEmai suffers “catastrophic” hack. Retrieved from https://krebsonsecurity.com/2019/02/email-provider-vfemail-suffers-catastrophic-hack/ 

Paganini, P. (2019, February 13). Hacker deleted all data from VFEmail servers, including backups. Retrieved from https://securityaffairs.co/wordpress/81030/hacking/femail-destructive-cyberattack.html 

Reynolds, C. (2019, February 13). “Catastrophic destruction”: Hacker takes a match to email provider. Retrieved from https://www.cbronine.com/author/conor/ 

Tech Info Gig. (2019, February 19). Hackers destroyed VFEmail service deleted its entire data and backups. Retrieved from https://techinfogig.blogspot.com/2019/02/hackers-destroyed-service.html 

Not all is lost! Great defenses count

Usually, the blogs detail a successful, in-depth attack. When possible, the attack vector is disclosed. There aren’t a tremendous number of success stories for various reasons. Seemingly most of the successful attacks use the same two or three attack vectors. These work most of the time for the attackers. 

Recently, an organization allowed a set of articles to elaborate on their trials and tribulations in the cyberland we call home. Having a company come forward to share their experiences in pleasant in comparison to most of the articles. 

Student Loans Company (SLC) 

The SLC is a government agency providing student loans for UK university and college students. This is financially a large organization with $117B in outstanding student loans per their 2017/2018 annual report. SLC manages data on its 8.1M registered clients. The data generally is financial in nature and is considered sensitive and confidential. 

Targetted 

Across the board, cybersecurity attacks are on the rise. The attackers figured out how to efficiently generate revenue from these endeavors and have been expanding their reach. The attackers are not going to waste time attacking an organization without a good reason. Their time is treated as a commodity. There is also too much potential liability with an attack. In this example, the sensitive information is ripe to be exfiltrated and sold on the dark web. The 8.1M records would bring a significant amount for the attackers. 

Attacks

In 2018, SLC was attacked 965,639 times. To put this in perspective, that would be on average 2,646 attacks every single day through the year, including weekends. These included malware attacks, DoS (denial-of-service), malicious calls, and other cyberattacks. Of all the blocked attempts throughout the year, there was one successful attack. Granted, based on where this occurred, the story could be fine or very bad. If this were to be in the finance or accounting office, there could be rather significant issues immediately. 

In this case, the issue was cryptocurrency focussed. Within the last five years, there has been much attention paid to this. People have been using crypto miners hoping to mine enough to purchase more equipment or at least make a decent return on their ROI for the equipment purchased. SLC was, unfortunately, a victim of this. Someone placed cryptocurrency mining malware on their system. Particularly, they used the Monero crypto jacking virus. The company’s website, slc.co.uk, hosted the virus. The visitors to the website became infected with this if they happened to still have the vulnerability open on their system, which would have been exploited. 

Robust

Although there was the crypto mining incident, the company continues with its mission of being aware of the network at all times and vigilant. Cybersecurity continues to be a top priority for the SLC. The focus continues to be protecting the cybersecurity for the confidential data. 

It’s easy to note this. However, in this case, the proof is present. All of the attacks through the years were unsuccessful, except for the one Monero crypto mining incident. This also was not entirely their responsibility. The attack occurred due to their third party plug-in allowing the malware onto the website. 

Lessons Learned 

The company quantified the attacks over the year, and these were rather substantial. The organization seems to be taking its cybersecurity seriously. A proper cybersecurity regiment takes time and expense to implement and maintain, however it is worth it in the short and long term. 

Resources

Ashford, W. (2019, February 4). Massive uptick in cyber attacks targeting student loans company. Retrieved from https://www.computerweeky.com/news/252456975 

Fadilpasic, S. (2019, February 4). UK student loans company hit by a million cyberattacks last year. Retrieved from https://www.itproportal.com/news/uk-student-loans-company-hit-by-a-million-cyberattacks-last-year/  

IT Pro. (2019, February). Student loans company hit by a million cyber attacks last year. Retrieved from https://www.itpro.co.uk/security/32902/student-loans-company-hit-by-a-million-cyber-attacks-last-year 

Muncaster, P. (2019, February). Student loans company hit by one million cyber-attacks. Retrieved from https://www.infosecurity-magazine.com/news/student-laons-comany-hit-one/ 

Ray, T. (2019, February 4). Student loans company hit by one million cyber attacks last year. Retrieved from https://www.informationsecuritybuzz.com/study-research/student-loans-company-hit/ 

Sowells, J. (2019, February 10). Student loans company hit by one million cyber attacks in 2018. Retrieved from https://hackercombat.com/student-loans-company-hit-by-one-million-cyber-attacks-in-2018/  

Qualcomm at it again

Android phones are in use across the planet. There is not a moment the sun is not shining on an android phone somewhere. The smartphone is a conglomerate of parts from multiple suppliers. It seems as though one of these suppliers had another issue recently. 

Android phones are known to have many, many viable attacks over the years. These seem to appear with regularity, unfortunately for the consumer. One of the latest Android Security Bulletins was published in August 2019. Of the many vulnerabilities noted, three involved the Qualcomm chip. 

These attacks were engineered to exploit a vulnerability with the Android kernel with the over the air (OTA) function. On a brighter note, for the attackers, these are partial remote attacks. Thus the attacker can’t be in the Carribean on the beach and remotely take over your phone. For this to work, the attacker and target are required to be on the same network. This significantly limits the target base for the attackers. This also, curiously, does not require user interaction, such as a phishing attack with malware. These are attacks with malicious packets OTA. This directly affects over a dozen chipsets. 

Fortunately for the user, patches for these have been made available. For CVE-2019-10538, this was modified with a patch for the Android OS source code. Fro CVE-2019-10540, this was modified with code in Qualcomm’s firmware. This is different than the Android OS in that the Qualcomm firmware is closed-source, in comparison to the Android open-source OS. 

Specifically for this issue, there are three CVE’s involved; CVE 2019-10538, -10539, and 10540. These are all buffer overflow attacks. With -10538, this affects the Qualcomm WLAN and Android kernel. The exploit uses packets coded specifically for this to the WLAN to overwrite parts of the kernel. Once successful, the attacker is able to run code with kernel privileges. For -10539, the issue is present with the WLAN firmware. This operates due to a lack of validation with the length check for the IE header limit. Lastly, for -10540, this is a modem into the kernel issue. This affects the Qualcomm WLAN also. The nuance with this is the issue is located within the modem firmware included with the chip from the manufacturer. To exploit this, the attacker begins with a particularly coded packet aimed at the device modem. This is able to work so well due to a lack of validation for the count value and the specifically coded packets. This also allows for code execution. 

In theory, you could chain -10538 and -10540 together. This would allow attackers to take complete control over the Android phones within the attacker’s WiFi. this full access allows for the attacker to install any app, or rootkit, exfiltrate sensitive data, and other completely malicious activities. 

This is not a training issue for the staff, but an issue with applying security within the SDLC. A portion of the issues could have been caught with cybersecurity applied through the project, and a thorough pentest. 

Resources

Bhatia, R. (2019, April 25). Qualcomm chips vulnerability puts android devices at risk. Retrieved from https:/www.securitynewspaper.com/2019/04/25/qualcomm-chips-vulnerability-puts-android-devices-at-risk/ 

Cimpanu, C. (2019, August 6). Qualpwn vulnerabilities in qualcomm chips let hackers compromise android devices. Retrieved from https://www.zdnet.com/article/qualpwn-vulnerabilities-in-qualcomm-chips-let-hackers-compromise-android-devices/ 

Kumar, M. (2019, August 6). New flaws in qualcomm chips expose mills of android devices to hacking. Retrieved from https://thehackernews.com/2019/08/android-qualcomm-vulnerability.html 

Paganini, P. (2019, April 28). Critical flaw in qualcomm chips exposes sensitive data for android devices. Retrieved from https://securityaffairs.com/wordpress/84612/hacking/qualcomm-flaw-android-devices.html    

Samsung Mobile. (2019, August). Android security updates. Retrieved from https://security.samsungmobile.com/securityUpdate.smsb 

Qualcomm. (2019, August 5). Security bulletins. Retrieved from https://www.qualcomm.com/compnay/product-security/bulletins 

Bridport pwned!

Sir John Colfox Academy is a secondary school in Bridport, Dorset in the UK. The school has 828 students, aged between 11 and 18.

Attack

On a fateful work day, much like any other, a staff member received an email. This was one of the hundreds of emails received on a weekly basis. This however claimed to be a colleague at another Dorset school. Not thinking a malicious person would have sent this, the staff member opened the email and clicked on the content on February 28, 2019. While this may have seem innocent enough, the email actually appears to have been sent from China and forwarded from a server in Germany.

The click opened the door for the systems infection. The network had an issue. The malware was reported as ransomware and, as expected, immediately began to encrypt the files. The attackers, as with the next step of the ransomware playbook, demanded money to be paid to them for the decrypt key.  The school consulted with a police expert regarding the substantial issue. After a review, it was noted the attack did not likely exfiltrate any school data, and staff, student and parent data were not on the system that was breached. The research into this indicated the attack may have been part of a much larger international operation.

Data

In particular, for this case, Year 11 students submitted their coursework. This coursework was saved on the school’s network. Due to the issue, the coursework in the subject was lost. While the description is short, the devastation is significant. The hope is the student’s had this backed-up somewhere.

Mitigation

The school is working with a particular exam board to resolve the issue. They are also working with the Dorset Police cybercrime unit. Although there was a demand for funds, no payment was made. This is generally the policy to take due to the secondary potential issues with just making the payment. The school had to notify the parents and sent a letter explaining the issue.

Discussion

Targets are generally attacked to compromise their systems to gain access to data for exfiltration or to extort funds from them. In the early days, these may have been more of an exercise, however, the attackers have operationalized the model. Ransomware has proven itself to be a completely popular, viable, and successful attack tool. Over the last four years, this has been very profitable for the attackers.

Lessons Learned

Ransomware is used so often, it is becoming redundant. The frequency is mostly due to the simplicity of the attack, the financial awards, and this tends to shut down operations until the fee is paid (not advised) or the issue is remediated through installing back-ups, and a thorough review to ensure nothing was left behind by the attackers they could use later for re-entry.

There needs to be continued training for the staff. This removed a significant portion of the opportunity for an issue. If the staff know what the usual forms of the attack are, these are less likely to be clicked on, and fewer systems would be infected. There also needs to be back-ups, which are regularly checked to ensure they are viable.

Resources

Hussain, D. (2019, March 14). Secondary school is being held to ransom after a ‘chinese cyber attack’ caused the loss of year 11 student’s GCSE coursework Retrieved from https://www.dailymail.co.uk/news/article-6808845/Secondary-school-held-ransom-cyber-attack-caused-loss-students-GCSE-coursework.html

Sjouwerman, S. (2019, March 14). GSCE coursework lost in ransomware attack on UK bridport school. Retrieved from https://blog.knowbe4.com/gcse-coursework-lost-in-cyber-attack-on-uk-bridport-school

Speck, D. (2019, March 15). GCSE coursework lost in ransomware attack. Retrieved from https://www.tes.com/news/gcse-coursework-lost-ransomware-attack

Wakefield, J. (2019, March 13). GCSE coursework lost in cyber attack in bridport school. Retrieved from https://www.bbc.com/news/uk-england-dorset-47551331